When a child asks you for a password on your iPad, think before entering.

Parents who regularly hand their iDevices over to their children, take note: you can still be burned by kids making in-app purchases. The BBC published a story on Friday highlighting a five-year-old's impressive feat in running up a £1,700 iTunes bill—about $2,500—after his father entered a passcode to allow him to download a "free" game from the App Store. The details of the situation reveal a series of unfortunate events that led to the truly epic tab, though Apple has since refunded the money.

There are a few things the Kitchens could have done better when their son, Danny, began using an iPad to play games. The article doesn't specify whether Danny's father entered a passcode for the device, for the App Store, or within the app itself, but the last scenario listed seems most likely. Entering a password to download apps in the App Store used to mean the user could begin charging in-app purchases without re-entering that password for 15 minutes as the default iOS behavior.

Apple made that more difficult with iOS 4.3 in early 2011 by requiring the App Store password a second time when in-app purchases are made. Assuming the family's iPad was running a more recent version of iOS, it sounds like Danny's father entered his password when Danny began to make purchases, not realizing what he was authorizing.

Danny apparently began buying stuff right away, and the Kitchens were even notified by e-mail of charges being made to their account: "The next day the Kitchens received e-mails which itemized successive £69.99 purchases, but they were believed to be sent in error and dismissed," wrote the BBC. The total charges of £1,700 were only brought to the family's attention thanks to a call from the credit card company.

Apple also provides a way to prevent in-app purchases altogether in its parental controls (found within Settings > General > Restrictions), though many parents are still unaware of these controls or how to use them:

Parental controls are a must if you exist in a world with children in it.

The parental controls also allow users to set a time limit for how long you can make purchases until having to enter the password again: the default is 15 minutes, but you can also set it to "immediately" if you want iOS to ask you every time. Setting up such controls—and understanding what your child is asking for when he or she wants a password entered—can help cut down on these incidents. After all, you can't always count on Apple to issue a refund, especially if you're the one who's entering the password.

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui

158 Reader Comments

it sounds like Danny's father entered his password when Danny began to make purchases, not realizing what he was authorizing.

So, not to knock the other instances where kids have gone on to willy-nilly get IAP after a free purchase (or update) was made from the store, but here the father didn't notice that he was putting his password in for an IAP. In that case, he gets a lot less sympathy.

The timer on the IAP password authentication might need to get toned down, though, if this continues to be a problem and not a 1 time blown up story.

This is why I explicitly consider "the account owner's children" to be a part of the threat model when I research mobile security. Ie: "this hack requires the user to accept the hacker's cert into the local storage. Who'd do THAT?" Children promised free games. Thousands of them.

Effective real-world security is a pain. It seems like Apple have done an honest job in this case... there remains making users aware of it. With ever more games using in-app purchases, that's important. Maybe a specific tutorial at the time of the first (first few ?) in-app purchases ?

The app designers target children. It's pathetic. We downloaded a My Little Pony game for my daughter, and it had a $99 purchase in it. Are you serious!?!?! $99 for a kids game??? If I met the designers of the game, I would punch them in the face.

Wouldn't it be simpler if there was like a cap of $100 on any in app purchases in one day?

You'd be surprised at how many adults playing Zynga games make $1,000 purchases a day. Mafia-wars even have a big spender club for people who made `$10,000 worth of Mafia-war purchases per month back when I worked for them.

The app designers target children. It's pathetic. We downloaded a My Little Pony game for my daughter, and it had a $99 purchase in it. Are you serious!?!?! $99 for a kids game??? If I met the designers of the game, I would punch them in the face.

This is so true. I haven't run into anything *that* egregious, but I've seen some freemium games my daughter plays and they make it incredibly easy and tantalizing to burn enormous amounts of money. It is really predatory the way they're designed.

I have in-app restrictions in place so my daughter can't actually buy any of this stuff (even by accident), but I can totally see how this can happen. The worst behavior here is on the part of the app developers, but Apple needs to put in more procedural barriers to prevent this from happening.

They ask for your password when it's unnecessary anyways, like downloading free apps. Why not then have a setting that makes it ask for your credit card information with each in-app payment? That would be great for parents.

Personally I don't think IAPs are the big evil everyone seems to think they are if they are fairly implemented (many games with them don't require any purchases for the full experience), but I agree that with childrens apps extra precautions should be in place.

Wouldn't it be simpler if there was like a cap of $100 on any in app purchases in one day?

You'd be surprised at how many adults playing Zynga games make $1,000 purchases a day. Mafia-wars even have a big spender club for people who made `$10,000 worth of Mafia-war purchases per month back when I worked for them.

Good god are you serious?

Anyway, the only solution I see to this is apple implementing multiple user profiles the iPad.

Wouldn't it be simpler if there was like a cap of $100 on any in app purchases in one day?

You'd be surprised at how many adults playing Zynga games make $1,000 purchases a day. Mafia-wars even have a big spender club for people who made `$10,000 worth of Mafia-war purchases per month back when I worked for them.

The app designers target children. It's pathetic. We downloaded a My Little Pony game for my daughter, and it had a $99 purchase in it. Are you serious!?!?! $99 for a kids game??? If I met the designers of the game, I would punch them in the face.

Unfortunately, I believe that game targets grown males with social problems.

It still baffles me that there are no laws against selling microtransactions to children. It seems plainly obvious to me that selling imaginary things to children is all kinds of wrong, as they have yet to fully understand the value of money. It's the same reason why gambling is illegal for kids.

You'd be surprised at how many adults playing Zynga games make $1,000 purchases a day. Mafia-wars even have a big spender club for people who made `$10,000 worth of Mafia-war purchases per month back when I worked for them.

Good god are you serious?

Anyway, the only solution I see to this is apple implementing multiple user profiles the iPad.[/quote]

when the kid gets a prompt on his account to spend money, and the dad says "yes" and enters his credentials, how does it help?

Wouldn't it be simpler if there was like a cap of $100 on any in app purchases in one day?

You'd be surprised at how many adults playing Zynga games make $1,000 purchases a day. Mafia-wars even have a big spender club for people who made `$10,000 worth of Mafia-war purchases per month back when I worked for them.

You know for all the shit Apple gets for having a curated app store, it's interesting how much more restricted people seem to want Apple to make it.

Each app has a list of top in-app purchases that you can view before you download the game. If parents really are concerned about their kids making purchases, A) don't just hand back the device after you've entered your password, and B) take a moment to see what kind of in-app purchases you can make.

Apple can only do so much to protect you from your own stupidity/indifference.

I wonder how these app could stand a chance under Canadian regulation. I see this a bit like kid directed advertising, which is illegal here. But I do laugh a bit, knowing all the pain it may cause to bad parents with spoiled child.

Wouldn't it be simpler if there was like a cap of $100 on any in app purchases in one day?

You'd be surprised at how many adults playing Zynga games make $1,000 purchases a day. Mafia-wars even have a big spender club for people who made `$10,000 worth of Mafia-war purchases per month back when I worked for them.

Good god are you serious?

Anyway, the only solution I see to this is apple implementing multiple user profiles the iPad.

Nonsense, the parental limits explained in the article would have worked just fine if the parents had bothered to use them , and like someone else already said , no amount of safeguards will protect a careless parent.

The rules for kids and electronics haven't changed since I was a child 20+ years ago now, namely know what your kids are doing. That was always the rule for games/movies when I was growing up never understood the parents that bought kids R rated games/movies and then complained that their child had R rated games/movies.

This is the PARENTS FAULT. There is a setting right there to block in app purchases. You wouldn't hand your kids over the keys to your car and tell them - you can play with the radio but don't start the car up!!!

This is also the fault of apple for not allowing multiple user profiles on iOS, or a limited kids profile like Windows Phone Kids Corner, where you can restrict which apps the child has access to and obviously turn off things like the store that your child will not have access to.

It was a 7 year old, and our iPad and 500$. Apple was quickly able to refund the money as it was just a mistake, and we definitely locked down the iPad after the little fiasco. The grandson had downloaded a free game, and in the game you were able to buy coins for real cash. He didn't think anything of it, because it was inside the game itself and he knew better than to buy anything from the app store or so.

Last year a similar thing happened with us and our (then) six year old. But he saw my wife enter her password on her phone to download an app. He then later entered her password while playing Angry Birds Space. He proceeded to purchase $130 worth of Space Eagles. I think it ended up being over 6,000 Space Eagles.

We found out the next day. I promptly got hold of Apple and explained what happened. They ended up reversing the charges.

It still baffles me that there are no laws against selling microtransactions to children. It seems plainly obvious to me that selling imaginary things to children is all kinds of wrong, as they have yet to fully understand the value of money. It's the same reason why gambling is illegal for kids.

I don't think these developers are saints, but children don't have credit cards. Parents should be a little more involved with what their kids play, they've got systems in place to protect from this sort of thing happening, and the parent inadvertently circumvented that, in the end it got worked out.

They ask for your password when it's unnecessary anyways, like downloading free apps. Why not then have a setting that makes it ask for your credit card information with each in-app payment? That would be great for parents.

Actually, asking for your password even for free apps is necessary, because otherwise someone else could install an app in your phone and authorize it to access your data. Asking for the password when upgrading apps is not necessary, as you have already installed the apps, so iOS doesn't do it anymore.

They ask for your password when it's unnecessary anyways, like downloading free apps. Why not then have a setting that makes it ask for your credit card information with each in-app payment? That would be great for parents.

Personally I don't think IAPs are the big evil everyone seems to think they are if they are fairly implemented (many games with them don't require any purchases for the full experience), but I agree that with childrens apps extra precautions should be in place.

It is good security practice to require passwords. If parents are careful, they should be reviewing ANY app that their children download. It's basic security.

Is there NO option in iOS settings to 'Block ALL in app purchases'? This would prevent anyone from purchasing crap they don't want, and if you ever needed an in app purchase you could just toggle it back ON temporarily?

Then again Apple probably wants developers to abuse this in a limited fashion - not to the point of 20k in charges but $1-$5 most people would just yell at their kids instead of raising a ruckus about it with Apple and the media.

There is. My Ipad is set up like that since I let my toddler use it from time to time.

This is why mobile devices should allow multiple user accounts, just like desktop operating systems. Each account could be tied to a different credit card (or none), and you could even have a system that parents could use to give their kids an allowance that the kid's account could use for purchases (from the app store, or in-app purchases). The parents could set it up to automatically pay a fixed amount into the kid's account each week. This could help the kids actually learn to manage money (a skill that many people unfortunately don't learn)

Is there NO option in iOS settings to 'Block ALL in app purchases'? This would prevent anyone from purchasing crap they don't want, and if you ever needed an in app purchase you could just toggle it back ON temporarily?

Then again Apple probably wants developers to abuse this in a limited fashion - not to the point of 20k in charges but $1-$5 most people would just yell at their kids instead of raising a ruckus about it with Apple and the media.

Right there in the article.... "Apple also provides a way to prevent in-app purchases altogether in its parental controls (found within Settings > General > Restrictions), though many parents are still unaware of these controls or how to use them:"

Is there NO option in iOS settings to 'Block ALL in app purchases'? This would prevent anyone from purchasing crap they don't want, and if you ever needed an in app purchase you could just toggle it back ON temporarily?

Then again Apple probably wants developers to abuse this in a limited fashion - not to the point of 20k in charges but $1-$5 most people would just yell at their kids instead of raising a ruckus about it with Apple and the media.

In app purchases are blocked by default. That's why the dad in this story had to enter a password. What happened next really depends on which version of iOS he's running. It's entirely possible that someone clueless enough to let their kid run up $2,500 in IAPs is running a really old version of iOS.

EDIT: "Clueless" may be a little strong. How about "tech unsavvy" or something like that?

They ask for your password when it's unnecessary anyways, like downloading free apps. Why not then have a setting that makes it ask for your credit card information with each in-app payment? That would be great for parents.

Actually, asking for your password even for free apps is necessary, because otherwise someone else could install an app in your phone and authorize it to access your data. Asking for the password when upgrading apps is not necessary, as you have already installed the apps, so iOS doesn't do it anymore.

I'm pretty sure I still need to enter my password to update any apps on my iPad. Now android does have the option to allow auto-updating which doesn't require a password.

The app designers target children. It's pathetic. We downloaded a My Little Pony game for my daughter, and it had a $99 purchase in it. Are you serious!?!?! $99 for a kids game??? If I met the designers of the game, I would punch them in the face.

This is why mobile devices should allow multiple user accounts, just like desktop operating systems. Each account could be tied to a different credit card (or none), and you could even have a system that parents could use to give their kids an allowance that the kid's account could use for purchases (from the app store, or in-app purchases). The parents could set it up to automatically pay a fixed amount into the kid's account each week. This could help the kids actually learn to manage money (a skill that many people unfortunately don't learn)

Windows Phone 8 has this, its called Kids Corner. You can easily choose which apps the child has access to. Then when you go to your lock screen you swipe to the left and its the 'kids section'. They only can see apps that you choose and you setup a custom start screen for them with the tiles/apps they can use. If you don't want them to have access to Internet Explorer or your Email or the store then they don't.

This is better than multiple accounts, as with multiple accounts you would have to restrict who owns which paid apps they bought and if they should be shared on the same device between users. In WP8 you only pay for the app once and then choose what the kid has access to, they don't have to rebuy the app. Also a phone is almost always a single person device, so a person having to manage each user would be tedious when in reality they just need a single 'kids' account.

They ask for your password when it's unnecessary anyways, like downloading free apps. Why not then have a setting that makes it ask for your credit card information with each in-app payment? That would be great for parents.

Actually, asking for your password even for free apps is necessary, because otherwise someone else could install an app in your phone and authorize it to access your data. Asking for the password when upgrading apps is not necessary, as you have already installed the apps, so iOS doesn't do it anymore.

I'm pretty sure I still need to enter my password to update any apps on my iPad. Now android does have the option to allow auto-updating which doesn't require a password.

iOS 6 doesn't require passwords to update. But if you have iPad 1, then you are stuck back on iOS 5, which still requires a password.